Traffic not hitting VM-Series Firewall in NSX
6087
Created On 03/13/20 00:00 AM - Last Modified 04/04/20 00:54 AM
Symptom
- Traffic was not hitting VM-Series firewall after being redirected from NSX
- Perform PAN-OS traffic troubleshooting on PA-VM to identify the traffic flow and verify if the packets are received on the firewall.
- Perform packet captures on the firewall based on configured filters to see if any packets are captured. In this case, no packets are received on the firewall.
- Review the Network Introspection Services under NSX > Security > Service Composer > Security Policies to verify if traffic is redirected to correct Service Profile (Zone).
- Enable Logging on NIS profile and review DFW logs to verify if the traffic is punted towards service PA-VM firewall from NSX Distributed Firewall. Below CLI command can be used on ESXi host on which the PA-VM resides:
2019-10-21T23:59:55.907Z 28062 INET match PUNT 4906/4907 OUT 52 TCP to-SVM 206.0.0.5/51909->10.54.41.126/7680 S
2019-10-21T23:59:55.908Z 28062 INET match PUNT 4906/4907 OUT 52 TCP from-SVM 206.0.0.5/51909->10.54.41.126/7680 S
2019-10-21T23:59:56.406Z 28062 INET match PUNT 4906/4907 OUT 52 TCP to-SVM 206.0.0.5/51910->10.55.90.174/7680 S
2019-10-21T23:59:56.407Z 28062 INET match PUNT 4906/4907 OUT 52 TCP from-SVM 206.0.0.5/51910->10.55.90.174/7680 S
2019-10-21T23:59:57.161Z 28062 INET match PUNT 4906/4910 IN 52 TCP to-SVM 110.0.0.5/59378->206.0.0.5/135 SEW
2019-10-21T23:59:57.161Z 28062 INET match PUNT 4906/4910 IN 52 TCP from-SVM 110.0.0.5/59378->206.0.0.5/135 SEW
- Above log snippets shows an ideal scenario wherein the traffic is being punted towards the service VM. However, in this case even though the redirect was enabled on NIS, traffic was not punted to service VM.
Environment
- Platform: PA-VM
- Deployment: Operations Centric
Cause
- VMware Issue
Resolution
- Engage VMware support as the issue is on NSX side